Having an Identity Crisis? CISO’s Need to Own IAM

Within any company, we can find owners for every key function throughout the enterprise. If we ask, “who is in charge of human resources?” we know the name of the SVP or director of human resources will surface. If we ask, “who ultimately owns the uptime of our technology infrastructure?” our chief technology officer will raise her hand. If we want to know the strategic plan for product development, we can clearly articulate the rings of the organizational tree that represent every single leadership role supporting this function. Certainly, we know that the threat environment has changed at such a fundamental level that a chief information security officer now definitively owns information security. Which brings us to a rather strange and dangerous conundrum.

If someone today asked you who owns identity in your company, what would be your answer?

This simple question is the query that starts us on a path of complexities that are real and manufactured. This simple question, when answered and resolved, sends us on a trajectory of improved operations, a reduction in operating expenses and a stronger security foundation. When answered, identity and access management becomes faster, cheaper and safer. Yet, it is the asking of this question and the search for the answer that shines the light on this conundrum.

Before delving into the question further, take a moment to think about every other critical security function in your organization. Can you imagine how effective your perimeter security, security event monitoring, threat analytics and intelligence, penetration testing or data loss protection efforts would be if ownership for the core fundamentals of that function were spread across a dozen owners? How safe would your company be if one of those owners unilaterally made a decision to open a public facing port on your network without following any processes or providing any notification?

Yet, when it comes to identity, every day a manager in the line or in an HR function makes a conscious decision to backdate an employee termination that occurred four weeks ago. The employee’s manager forgot or was on vacation, and suddenly a unilateral decision due to a failed process and a failed series of controls leads to a former employee having persistent access to your network and applications for a month after being terminated. Distributed ownership of the pieces of identity results in major holes in your security program.

Many companies are beginning to acknowledge and recognize the causes of these fundamental weaknesses. For example, the help desk owning the administration access function for Windows credentials while HR owns the job description and possibly the job role definition causes this weakness. An outsourced security company owning physical access credentials while a payroll function owns the employee’s place of work and place of domicile addresses causes this weakness. An application developer embedding another employee’s access credentials into a line of code or the inability to distinguish an FTE from a contractor causes this weakness.

Chief information security officers and the companies they protect now realize this distribution of ownership drives the reality that IAM efforts do not result in the outcomes they need. In fact, 63 percent of breaches are still driven by the misappropriation of account credentials. CISOs understand that the simple summing up of application and OS accounts under a master account does not equal identity. In order to build a security program on a bedrock foundation, CISOs realize that the security function must set the rules, policies, procedures and standards for all key aspects of the user identity within a company. And it isn’t just employees. Every individual that has a relationship with your company is no longer an outsider. The fact that they have a relationship with you makes them an insider; whether customer, supplier, outsource provider or food service company.

The time to take control of all of the levers of identity to drive a next generation identity and access management control function is now. Are you ready to take that step? The success of your security program depends on it.

Richard Bird is an information technology, risk and information security executive with more than 25 years of experience. In his current role as an executive director within the Office of the CISO executive advisory team at Optiv, he works with chief information security officers, boards of directors and senior executives within our clients as a trusted advisor helping to assess, develop, guide and improve information security management programs while ensuring alignment with business goals and objectives.